Updated August 10, 2023
Introduction to Certificate Revocation
Certificate revocation is the process of canceling the digital certificate of the user. There can be many reasons for certificate revocation, such as the holder of the digital certificate reports complaint stated that private key for the corresponding public key which is specified in digital certificate has stolen if CA makes some mistakes while issuing the certificate, in such cases holder can request for certificate revocation. Before proceeding with the certificate revocation, CA ensures that the complainant is true or not; otherwise, someone can misuse this process.
Digital Certificate Revocation
There are two types such as Offline revocation status check and Online revocation status check, which is given in detail as follows;
1. Offline Certificate Revocation Status Check
CRL (Certificate Revocation List) is a primary means of checking the status of digital certificates offline. CRL contains a list of certificates that are published regularly by each CA, identifies all the certificates that have been revoked through the Life of CA. Note that CRL does not list the certificates whose validity is over; it only lists the certificates whose validity is still in range but are revoked for some reason.
Each CA issue has Certificate Revocation List where each CA signs the respective CRL. It is a sequential file which increases over time to include all certificate that has not expired but has been revoked. Each CRL has a serial number, date, and time on which the certificate was revoked and the reason behind the revocation. It also includes date and time The CRL was published and when the next one will be published. If user A wants to validate the certificate of B, the following steps are carried out.
- First, compare the current date with the validity date of the certificate to ensure that the certificate has not expired.
- Checks that user B certificate can be verified in terms of a signature by his own CA (who issued the certificate).
- Consult the latest Certificate Revocation List issued by CA of user B to ensure that User B certificate is not listed there as a revoked certificate.
- CRL can become quite big over time. In general, the bit is assumed that about 10% of the expired certificate will be revoked every year. So if CA has 100,000 users in two years, its own CRL could be 20,000 entries which are quite large. CRL checks need to be performed even by a user who wants to use the certificate of another user in the application that executes on that handheld device. If a mobile number has to store and check a CRL of size 20,00 users, it has to receive a CRL file first over the network, which is a great bottleneck. This problem leads to the concept of delta CRL, i.e. Delta Certificate Revocation List.
2. Online Certificate Revocation Status Check
Two protocol is used to check the certificate status – Online Certificate Status Protocol (OCSP) and Simple Certificate Validation Protocol (SCVP).
a. Online Certificate Status Protocol (OCSP)
- CA provides an OCSP responder as a server that contains information about the latest certificate revocation.
- When a client wants to check them if the particular certificate is valid or not, the client sends an OCSP request.
- OCSP responder checks the X.500 directory (which contains all the information about the certificate revocation) to check the requested certificate is valid or not.
- Based on the results, the OCSP responder sends a result back a digitally signed OCSP response for each of the certificates to the client. This response can be Good, Revoked, or Unknown. OCSP response also includes the date, time, and reason for the revocation if the certificate is revoked.
- Based on the response, the client decides what action to be taken. If the response is Good, the certificate is considered valid.
Online Certificate status protocol has some problems; it cannot check the validity of the certificate associated with the current certificate. For example, If User A wants to verify the certificate of User B using OCSP, OCSP will inform the User A whether the certificate of User B is valid or not. It will not validate the certificate of CA who issued a certificate to User A or any other higher level.
b. Simple Certificate Validation Protocol (SCVP)
Simple Certificate Validation Protocol is an online Certificate status reporting protocol that is designed to deal with the drawbacks of online Certificate status protocol. It is quite similar to the OCSP. Let’s understand this concept while differentiating with OCSP.
- In SCVP, the client sends the entire certificate to the sever number; the server performs other many checks also. While in OCSP, the client just sends the serial number of the certificate to the server.
- In SCVP, the client sends a collection of certificates to their server for checking, while in OCSP, only the giver certificate is being checked.
- In SCVP, the client can request for additional checks, type of revocation, etc. While in OCSP, the server checks whether the certificate is revoked or not.
- In SCVP, the server sends additional information of the certificate to the client, while in OCSP, the server sends the only status of the certificate to the client.
- SCVP provides more features than OCSP.
- OCSP protocol is being enhanced, and its new version OCSP extension or OCSP-X is currently in the proposal stage. The goals of OCSP-X are similar to SCVP.
This is a guide to Certificate Revocation. Here we discuss the introduction and digital certificate revocation along with an explanation. You may also have a look at the following articles to learn more –